# Redactable Blockchain - or - Rewriting History in Bitcoin and Friends

EuroS&P, pp. 111-126, 2017.

EI

Weibo:

Abstract:

We put forward a new framework that makes it possible to re-write or compress content of any number of blocks in decentralized services exploiting blockchain technology. As we argue, there are several reasons to prefer an editable blockchain, spanning from necessity to remove inappropriate content and possibility to support applicatio...More

Code:

Data:

Introduction

- The main security property satisfied by a secret/public-coin chameleon hash function is that of collision resistance: No PPT algorithm, given the public hash key hk , can find two pairs (m, ξ) and (m , ξ ) that are valid under hk and such that m = m , with all but a negligible probability.
- Note that each time a block is redacted using Algorithm 1, a collision for the underlying chameleon hash function is exposed.

Highlights

- Who can make redactions? We show how to make redactions given the knowledge of a secret key
- We present concrete protocols for securely realizing the ideal functionalities described in the previous section
- We focus here on a specific construction relying on the Decisional Diffie-Hellman assumption and on the Sigma-protocol due to Schnorr [Sch91]; similar constructions can be obtained based on the RSA assumption, on Quadratic Residuosity, and on Factoring, using the Sigma protocols due to Guillou-Quisquater [GQ88], Fiat-Shamir [FS86], Ong-Schnorr [OS90], Okamoto [Oka92], and Fischlin and Fischlin [FF02]
- We have presented a framework to redact and compress the content of blocks in virtually any blockchain based technology
- There are several reasons why one could prefer a redactable blockchain to an immutable one

Results

- In Section 4 the authors explain how to generically leverage any standard collision-resistant chameleon hash function into one meeting such a key-exposure freeness requirement.
- Algorithm 1: Chain Redact input : The input chain C of length n, a set of block indices I ⊆ [n], a set of values {xi}i∈I, and the chameleon hash trapdoor key tk .
- Following the common practice in the setting of MPC, the authors define two ideal functionalities that aim at capturing the security requirements for generating the hash keys and for redacting the blockchain in the decentralized setting.
- When the system is set-up for the first time, the authors need to run the key generation algorithm HGen for the underlying chameleon hash function, obtaining a public hash key hk and a secret trapdoor key tk .
- The authors view the technical tools that make redactions possible as the main contribution of this work, a natural question that may arise is how the trapdoor key for the chameleon hash function is managed.
- The authors start by formally defining collision resistance of public/secret coin chameleon hash functions, in Section 4.1.
- That secret-coin chameleon hash functions can be used for the very same applications as public-coin ones, in particular for constructing chameleon signatures [KR00] and online/offline signatures [EGM96, ST01, BCR+13];the only difference is that one needs to store the check value ξ in order to verify a hash value, and the hash verification does not in general consist of re-computing the hash.
- Let CH = (HGen, Hash, HCol) be a public-coin chameleon hash function, let PKE = (KGen, Enc, Dec) be a PKE scheme, and let N IA = (I, P, V) be a non-interactive argument system for the language

Conclusion

- Assume that CH is a public-coin collision-resistant chameleon hash function, that PKE is a CPA-secure PKE scheme, and that N IA is an f -tSE-NIZK for the language of Eq (1), where for any witness (r, ρ) the authors define f (r, ρ) = r.
- As the experiments showed, the overhead imposed by having a mutable blockchain is negligible

Summary

- The main security property satisfied by a secret/public-coin chameleon hash function is that of collision resistance: No PPT algorithm, given the public hash key hk , can find two pairs (m, ξ) and (m , ξ ) that are valid under hk and such that m = m , with all but a negligible probability.
- Note that each time a block is redacted using Algorithm 1, a collision for the underlying chameleon hash function is exposed.
- In Section 4 the authors explain how to generically leverage any standard collision-resistant chameleon hash function into one meeting such a key-exposure freeness requirement.
- Algorithm 1: Chain Redact input : The input chain C of length n, a set of block indices I ⊆ [n], a set of values {xi}i∈I, and the chameleon hash trapdoor key tk .
- Following the common practice in the setting of MPC, the authors define two ideal functionalities that aim at capturing the security requirements for generating the hash keys and for redacting the blockchain in the decentralized setting.
- When the system is set-up for the first time, the authors need to run the key generation algorithm HGen for the underlying chameleon hash function, obtaining a public hash key hk and a secret trapdoor key tk .
- The authors view the technical tools that make redactions possible as the main contribution of this work, a natural question that may arise is how the trapdoor key for the chameleon hash function is managed.
- The authors start by formally defining collision resistance of public/secret coin chameleon hash functions, in Section 4.1.
- That secret-coin chameleon hash functions can be used for the very same applications as public-coin ones, in particular for constructing chameleon signatures [KR00] and online/offline signatures [EGM96, ST01, BCR+13];the only difference is that one needs to store the check value ξ in order to verify a hash value, and the hash verification does not in general consist of re-computing the hash.
- Let CH = (HGen, Hash, HCol) be a public-coin chameleon hash function, let PKE = (KGen, Enc, Dec) be a PKE scheme, and let N IA = (I, P, V) be a non-interactive argument system for the language
- Assume that CH is a public-coin collision-resistant chameleon hash function, that PKE is a CPA-secure PKE scheme, and that N IA is an f -tSE-NIZK for the language of Eq (1), where for any witness (r, ρ) the authors define f (r, ρ) = r.
- As the experiments showed, the overhead imposed by having a mutable blockchain is negligible

- Table1: The Redactable Bitcoin block header

Related work

- Several papers have analyzed the properties and extended the features of the Bitcoin protocol (see, e.g., [ADMM14b, AFMdM14, ADMM15, PS15]). Bitcoin has also found several innovative applications far beyond its initial scope, e.g., to achieve fairness in secure multi-party computation [ADMM14c, ADMM14a, BK14], to build smart contracts [KMS+15, BDM16], to distributed cryptography [AD15], and more [KMB15, KT15, RKS15]. Blockchain based technologies, and the properties they achieve, were also studied in recent work, both for the synchronous [GKL15] and asynchronous [PSas16] network model.

s = H(ctr, G(s, x; r)) HashPrev (s) Transactions (x) Nonce (ctr) Randomness (r)

s = H(ctr , G(s , x ; r ))

HashPrev (s ) Transactions (x )

Nonce (ctr ) Randomness (r ) HashPrev (s )

Transactions (x )

Reference

- Accenture. Accenture debuts prototype of ‘editable’ blockchain for enterprise and permissioned systems. https://newsroom.accenture.com/news/accenturedebuts-prototype-of-editable-blockchain-for-enterprise-andpermissioned-systems.htm.
- Marcin Andrychowicz and Stefan Dziembowski. Pow-based distributed cryptography with no trusted setup. In CRYPTO, pages 379–399, 2015.
- Giuseppe Ateniese and Breno de Medeiros. On the key exposure problem in chameleon hashes. In SCN, pages 165–179, 2004.
- [ADMM14a] Marcin Andrychowicz, Stefan Dziembowski, Daniel Malinowski, and Lukasz Mazurek. Fair two-party computations via Bitcoin deposits. In Financial Crypto, pages 105–121, 2014.
- [ADMM14b] Marcin Andrychowicz, Stefan Dziembowski, Daniel Malinowski, and Lukasz Mazurek. Modeling Bitcoin contracts by timed automata. In FORMATS, pages 7–22, 2014.
- [ADMM14c] Marcin Andrychowicz, Stefan Dziembowski, Daniel Malinowski, and Lukasz Mazurek. Secure multiparty computations on Bitcoin. In IEEE Symposium on Security and Privacy, pages 443–458, 2014.
- [ADMM15] Marcin Andrychowicz, Stefan Dziembowski, Daniel Malinowski, and Lukasz Mazurek. On the malleability of bitcoin transactions. In Financial Crypto, pages 1–18, 2015.
- [AFMdM14] Giuseppe Ateniese, Antonio Faonio, Bernardo Magri, and Breno de Medeiros. Certified bitcoins. In ACNS, pages 80–96, 2014.
- Gilad Asharov and Yehuda Lindell. A full proof of the BGW protocol for perfectlysecure multiparty computation. ECCC, 18:36, 2011.
- Dan Boneh, Xavier Boyen, and Hovav Shacham. Short group signatures. In CRYPTO, pages 41–55, 2004.
- Gilles Brassard, David Chaum, and Claude Crepeau. Minimum disclosure proofs of knowledge. J. Comput. Syst. Sci., 37(2):156–189, 1988.
- Emmanuel Bresson, Dario Catalano, Mario Di Raimondo, Dario Fiore, and Rosario Gennaro. Off-line/on-line signatures revisited: a general unifying paradigm, efficient threshold variants and experimental results. Int. J. Inf. Sec., 12(6):439–465, 2013.
- Waclaw Banasik, Stefan Dziembowski, and Daniel Malinowski. Efficient zeroknowledge contingent payments in cryptocurrencies without scripts. Cryptology ePrint Archive, Report 2016/451, 2016.
- Amos Beimel. Secret-sharing schemes: A survey. In IWCC, pages 11–46, 2011.
- Manuel Blum, Paul Feldman, and Silvio Micali. Non-interactive zero-knowledge and its applications (extended abstract). In STOC, pages 103–112, 1988.
- Michael Ben-Or, Shafi Goldwasser, and Avi Wigderson. Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract). In STOC, pages 1–10, 1988.
- Iddo Bentov and Ranjit Kumaresan. How to use bitcoin to design fair protocols. In CRYPTO, pages 421–439, 2014.
- Allison Bishop, Valerio Pastro, Rajmohan Rajaraman, and Daniel Wichs. Essentially optimal robust secret sharing with maximal corruptions. IACR Cryptology ePrint Archive, 2015:1032, 2015.
- Mihir Bellare and Todor Ristov. A characterization of chameleon hash functions and new, efficient designs. J. Cryptology, 27(4):799–823, 2014.
- Vitalik Buterin. On public and private blockchains. https://blog.ethereum.org/2015/08/07/on-public-and-private-blockchains/.
- Coindesk. Bitcoin venture capital. http://www.coindesk.com/bitcoinventure-capital/.
- David Chaum and Torben P. Pedersen. Wallet databases with observers. In Advances in Cryptology - CRYPTO ’92, 12th Annual International Cryptology Conference, Santa Barbara, California, USA, August 16-20, 1992, Proceedings, pages 89–105, 1992.
- Benoıt Chevallier-Mames, Pascal Paillier, and David Pointcheval. Encoding-free ElGamal encryption without random oracles. In PKC, pages 91–104, 2006.
- Ronald Cramer and Victor Shoup. A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In CRYPTO, pages 13–25, 1998.
- Xiaofeng Chen, Haibo Tian, Fangguo Zhang, and Yong Ding. Comments and improvements on key-exposure free chameleon hashing based on factoring. In Inscrypt, pages 415–426, 2010.
- Xiaofeng Chen, Fangguo Zhang, and Kwangjo Kim. Chameleon hashing without key exposure. In ISC, pages 87–98, 2004.
- Xiaofeng Chen, Fangguo Zhang, Willy Susilo, Haibo Tian, Jin Li, and Kwangjo Kim. Identity-based chameleon hash scheme without key exposure. In ACISP, pages 200–215, 2010.
- Xiaofeng Chen, Fangguo Zhang, Willy Susilo, Haibo Tian, Jin Li, and Kwangjo Kim. Identity-based chameleon hashing and signatures without key exposure. Inf. Sci., 265:198–210, 2014.
- Xiaofeng Chen, Fangguo Zhang, Haibo Tian, Baodian Wei, and Kwangjo Kim. Discrete logarithm based chameleon hashing and signatures without key exposure. Computers & Electrical Engineering, 37(4):614–623, 2011.
- Ivan Damgard. Collision free hash functions and public key signature schemes. In EUROCRYPT, pages 203–216, 1987.
- http://www.coindesk.com/immutability-extraordinary-goalsblockchain-industry/.
- Ivan Damgard, Matthias Fitzi, Eike Kiltz, Jesper Buus Nielsen, and Tomas Toft. Unconditionally secure constant-rounds multi-party computation for equality, comparison, bits and exponentiation. In TCC, pages 285–304, 2006.
- [DHLW10] Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt, and Daniel Wichs. Efficient public-key cryptography in the presence of key leakage. In ASIACRYPT, pages 613–631, 2010.
- Shimon Even, Oded Goldreich, and Silvio Micali. On-line/off-line digital signatures. J. Cryptology, 9(1):35–67, 1996.
- Taher ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Information Theory, 31(4):469–472, 1985.
- Ethereum. Ethereum project. https://www.ethereum.org/.
- Marc Fischlin and Roger Fischlin. The representation problem based on factoring. In CT-RSA, pages 96–113, 2002.
- Marc Fischlin. Communication-efficient non-interactive proofs of knowledge with online extractors. In CRYPTO, pages 152–168, 2005.
- [FKMV12] Sebastian Faust, Markulf Kohlweiss, Giorgia Azzurra Marson, and Daniele Venturi. On the non-malleability of the Fiat-Shamir transform. In INDOCRYPT, pages 60–79, 2012.
- European Union Agency for Network and Information Security. Distributed ledger technology & cybersecurity, 2016.
- Amos Fiat and Adi Shamir. How to prove yourself: Practical solutions to identification and signature problems. In CRYPTO, pages 186–194, 1986.
- Juan A. Garay, Aggelos Kiayias, and Nikos Leonardos. The Bitcoin backbone protocol: Analysis and applications. In EUROCRYPT, pages 281–310, 2015.
- Shafi Goldwasser and Silvio Micali. Probabilistic encryption. J. Comput. Syst. Sci., 28(2):270–299, 1984.
- Oded Goldreich. The Foundations of Cryptography - Volume 1, Basic Techniques. Cambridge University Press, 2001.
- Louis C. Guillou and Jean-Jacques Quisquater. A “paradoxical” indentity-based signature scheme resulting from zero-knowledge. In CRYPTO, pages 216–231, 1988.
- Jens Groth. Simulation-sound NIZK proofs for a practical language and constant size group signatures. In ASIACRYPT, pages 444–459, 2006.
- Jens Groth and Amit Sahai. Efficient non-interactive proof systems for bilinear groups. In EUROCRYPT, pages 415–432, 2008.
- Steve Hargreaves and Stacy Cowley. How porn links and ben bernanke snuck into bitcoin’s code. http://money.cnn.com/2013/05/02/technology/security/bitcoin-porn/index.html.
- Dennis Hofheinz and Eike Kiltz. Secure hybrid encryption from weakened key encapsulation. In CRYPTO, pages 553–571, 2007.
- Curt Hopkins. If you own Bitcoin, you also own links to child porn. http://www.dailydot.com/business/bitcoin-child-porn-transaction-code/.
- Hyper ledger project. https://www.hyperledger.org.
- Blockchain Info. Bitcoin hashrate distribution. https://blockchain.info/pools.
- Ranjit Kumaresan, Tal Moran, and Iddo Bentov. How to use bitcoin to play decentralized poker. In CCS, pages 195–206, 2015.
- Ahmed E. Kosba, Andrew Miller, Elaine Shi, Zikai Wen, and Charalampos Papamanthou. Hawk: The blockchain model of cryptography and privacy-preserving smart contracts. IACR Cryptology ePrint Archive, 2015:675, 2015.
- Hugo Krawczyk and Tal Rabin. Chameleon signatures. In NDSS, 2000.
- Aggelos Kiayias and Qiang Tang. Traitor deterring schemes: Using bitcoin as collateral for digital content. In CCS, pages 231–242, 2015.
- Alfonso Cevallos Manzano. Reducing the share size in robust secret sharing. Master’s thesis, Mathematisch Instituut Universiteit Leiden, the Netherlands, 2011.
- Hank Moonie. Man’s ”right to be forgotten” case stalls after he is found on the bitcoin blockchain. https://medium.com/@hankmoonie/mans-right-to-beforgotten-case-stalls-after-he-is-found-on-the-bitcoin-blockchain1a32c4fc0963#.ed36n2iwg.
- Satoshi Nakamoto. Bitcoin core. https://github.com/bitcoin/bitcoin, 2009.
- Kaisa Nyberg and Rainer A. Rueppel. Message recovery for signature schemes based on the discrete logarithm problem. In EUROCRYPT, pages 182–193, 1994.
- Moni Naor and Vanessa Teague. Anti-presistence: history independent data structures. In ACM STOC, pages 492–501, 2001.
- Tatsuaki Okamoto. Provably secure and practical identification schemes and corresponding signature schemes. In CRYPTO, pages 31–53, 1992.
- OpenSSL project. http://www.openssl.org/.
- H. Ong and Claus-Peter Schnorr. Fast signature generation with a Fiat Shamirlike scheme. In EUROCRYPT, pages 432–440, 1990.
- Stevens Institute of Technology. Blockchain just got much more powerful. https://www.stevens.edu/news/blockchain-just-got-much-more-powerful.
- Kevin Petrasic and Matthew Bornfreund. Beyond bitcoin: The blockchain revolution in financial services. http://www.whitecase.com/publications/insight/beyond-bitcoin-blockchain-revolution-financial-services.
- Jordan Pearson. The bitcoin blockchain could be used to spread malware, interpol says. http://motherboard.vice.com/read/the-bitcoin-blockchain-couldbe-used-to-spread-malware-interpol-says.
- Rafael Pass and Abhi Shelat. Micropayments for decentralized currencies. In CCS, pages 207–218, 2015.
- Rafael Pass, Lior Seeman, and abhi shelat. Analysis of the blockchain protocol in asynchronous networks. Cryptology ePrint Archive, Report 2016/454, 2016.
- Tal Rabin and Michael Ben-Or. Verifiable secret sharing and multiparty protocols with honest majority (extended abstract). In STOC, pages 73–85, 1989.
- Phillip Rogaway and Mihir Bellare. Robust computational secret sharing and a unified account of classical secret-sharing goals. In CCS, pages 172–184, 2007.
- Tim Ruffing, Aniket Kate, and Dominique Schroder. Liar, liar, coins on fire!: Penalizing equivocation by loss of Bitcoins. In CCS, pages 219–230, 2015.
- European Securities and Markets Authority. The distributed ledger technology applied to security markets. Technical Report ESMA50-1121423017-285, January 2017.
- Claus-Peter Schnorr. Efficient signature generation by smart cards. J. Cryptology, 4(3):161–174, 1991.
- Alfredo De Santis, Giovanni Di Crescenzo, Rafail Ostrovsky, Giuseppe Persiano, and Amit Sahai. Robust non-interactive zero knowledge. In CRYPTO, pages 566–598, 2001.
- Mike Scott. Authenticated ID-based key exchange and remote log-in with simple token and PIN number. IACR Cryptology ePrint Archive, 2002:164, 2002.
- Adi Shamir. How to share a secret. Commun. ACM, 22(11):612–613, 1979.
- Hovav Shacham. A Cramer-Shoup encryption scheme from the linear assumption and from progressively weaker linear variants. IACR Cryptology ePrint Archive, 2007:74, 2007.
- Victor Shoup. Lower bounds for discrete logarithms and related problems. In EUROCRYPT, pages 256–266, 1997.
- David Siegel. Understanding the dao attack. http://www.coindesk.com/understanding-dao-hack-journalists/, 2016.
- Adi Shamir and Yael Tauman. Improved online/offline signature schemes. In CRYPTO, pages 355–367, 2001.
- James Smith, Jeni Tennison, Peter Wells, Jamie Fawcett, and Stuart Harrison. Applying blockchain technology in global data infrastructure. Technical Report ODI-TR-2016-001, Open Data Institute, 2016.
- Jeni Tennison. What is the impact of blockchains on privacy? https://theodi.org/blog/impact-of-blockchains-on-privacy.
- U.S Government Accountability Office. Financial regulatory reform: Financial crisis losses and potential impacts of the dodd-frank act. Technical report, U.S Government Accountability Office, 2013.
- Lloyd R. Welch and Elwyn R. Berlekamp. Error correction of algebraic block codes, 1986. US Patent 4,633,470.

Tags

Comments